# CONFIGURED BY ANSIBLE # # trace wireguard connected peers # [INPUT] name tail path /var/log/wireguard-peers.json tag peers parser json_no_time # use common source_ip field across various vpn engines [FILTER] name modify match peers condition key_value_matches endpoint_ip [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ rename endpoint_ip source_ip # casual/enriched geoip data for peer public ip [FILTER] name geoip2 match peers database /etc/fluent-bit/GeoLite2-City.mmdb lookup_key source_ip record source_city_name source_ip %{city.names.ru} record source_country_name source_ip %{country.names.ru} record nest_lat source_ip %{location.latitude} record nest_lon source_ip %{location.longitude} log_level error [FILTER] name nest match peers operation nest wildcard nest_* remove_prefix nest_ nest_under source_location # use common client_ip field across various vpn engines [FILTER] name modify match peers condition key_value_matches allowed_ip [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ rename allowed_ip client_ip # custom geoip data for peer's internal ip [FILTER] name geoip2 match peers database /etc/fluent-bit/ke.mmdb lookup_key client_ip record source_name client_ip %{name} log_level error [FILTER] name modify match peers # use common tx/rx field across various vpn engines rename transfer_rx source_bytes rename transfer_tx destination_bytes add destination_name {{inventory_hostname}} # hard-coded variable in ansible inventory add destination_country_name {{country}} add destination_city_name {{city}} add nest_lat {{lat}} add nest_lon {{lon}} [FILTER] name nest match peers operation nest wildcard nest_* remove_prefix nest_ nest_under destination_location [FILTER] name modify match peers add sensor peers@{{inventory_hostname}} #[OUTPUT] # name file # match peers # path /var/log # file fluent-bit.log [OUTPUT] name opensearch match peers host {{log_host}} port {{log_port}} tls on tls.verify on index audithack-peers http_user {{log_http_user}} http_passwd {{log_http_passwd}} suppress_type_name on #replace_dots on trace_error on